rule ciscotools {
  meta:
    author = "Tim Brown @timb_machine"
    description = "Hunts for references to our tools"
  strings:
    $labs = "labs.portcullis.co.uk"
    $portcullislabs = "portcullislabs"
    $CiscoCXSecurity = "CiscoCXSecurity"
    $timb_machine = "timb_machine"
    $pentestmonkey = "pentestmonkey"
    $enum4linux = "enum4linux"
    $linikatz = "linikatz"
    $unixprivesccheck = "unix-privesc-check"
  condition:
    $labs or $portcullislabs or $CiscoCXSecurity or $timb_machine or $pentestmonkey or $enum4linux or $linikatz or $unixprivesccheck
}
